07-26-2024 03:41 AM
Hi All,
is IPv6 blocked on Cisco ASA by default? we are running version 9.12 currently and have received a request to block an IPv6 address and I am pretty sure we haven't used IPv6 in our environment before. So was wondering if we need to take any action on the same.
Regards,
Vijay
07-26-2024 03:52 AM
Do you have any attack to your VPN service and you want to deny this IP to access ASA?
MHM
07-26-2024 04:53 AM
Hi MHM,
No, not for this. Actually this is an internet facing firewall and we block malicious IPs coming on our outside interface as provided by our SOC advisories. But this is the first time we have received a request for an IPv6 address.
07-26-2024 11:49 PM
Anyone has any idea on whether we should be blocking this Ipv6 address through, say an ACL, or will it get blocked by default?
07-29-2024 07:29 AM
I believe that in the routed firewall mode ASA drops all IPv6 if IPv6 addresses are not configured on ASA interfaces, simply because its IPv6 routing table is empty in this case. Transparent firewall mode also requires IPv6 address to be configured.
NB. In ASA ACLs "any" means "any4" OR "any6", so if IPv6 addresses are configured on ASA interfaces, it may let IPv6 through "any" depending on your configuration.
HTH
07-29-2024 08:00 AM
defualt behavior of asa is prevent any traffic from low to high secuirty even if you not config ACL and this inlcude both ipv4 and ipv6
But to be sure I run lab yesterday to add ipv6 access-list any any log to OUT of asa but the command is unknown'
Sorry I have limit time these day I will try soon and update you when I sucess
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide